██FR█████ █INTELL███████████

Part-21: Compute Engine Storage – Key Management Service (Cloud KMS) in Google Cloud Platform (GCP)


This content originally appeared on DEV Community and was authored by Latchu@DevOps

Data States Encryption

kms-1

Types of Data Encryption

kms-2

It is highly recommended to encrypt both Data at Rest and Data at Transit

Symmetric Key Encryption

  1. Symmetric Key Encryption uses same key for both Encryption and Decryption
  2. Example Encryption Algorithms
  • DES – Data Encryption Standard
  • Triple DES
  • AES – Advanced Encryption Standard
  • IDEA – International Data Encryption Algorithm

kms-3

Advantages

  • Security: Algorithms like AES take billions of years to crack using brute-force attacks.
  • Speed: Because of its shorter key it is much faster to execute and uses less resources (CPU, Memory) to Encrypt and Decrypt
  • Industry adoption and acceptance: Algorithms like AES have become the gold standard of data encryption because of their security and speed benefits and hugely in use industry wide.
  • RECOMMENDED for Bulk Data Transfers

Challenges

  • How to secure encryption key ?
  • How to share encryption key ?

Asymmetric Key Encryption

  1. Asymmetric Key Encryption uses two keys: Private and Public Keys
  2. Encrypts data with public key and decrypts with private key
  3. Example Encryption Algorithms
  • RSA: Digital Signature Standard
  • DSC: Digital Signature Standard
  • DSA: Digital Signature Algorithm
  • ECC: Elliptical Curve Cryptography

kms-4

Advantages

  • Private key is not shared. Overall process is more secure when compared to Symmetric key encryption

Disadvantages

  • The encryption process is slow
  • Resource utilization is very high
  • Not recommended for bulk data transfers

Google Cloud – Key Management Service (KMS)

  1. Cloud KMS is used to centrally manage encryption keys on GCP
  2. Supports both Symmetric and Asymmetric key encryptions
  3. Use KMS generated encryption keys in your applications and GCP Services (Compute Engine, Cloud SQL)
  4. KMS provides an API to encrypt, decrypt or sign data which can be used in our Application Development.
  5. Key Management Options available for use
  • Google-managed encryption key (No configuration required)
  • CMEK: Customer-managed encryption key (Manage via Cloud KMS)
  • CSEK: Customer-supplied encryption key (Manage outside of Google cloud)

kms-5

Google-managed encryption key is applied by default


This content originally appeared on DEV Community and was authored by Latchu@DevOps